#!/bin/bash

# 关闭selinux
sed -in '/SELINUX=/s/enforcing/disabled/p' /etc/selinux/config
setenforce 0



# 设置加盐密码，取自模版主机/etc/shadow中$6开头到下一个冒号前结束
pw_ch5='$6$7Ut2tZ2j$lZIjL02uIIjyl/pqNLLV7lEQdyq9tmQF5Xm5uGOK3Lq./6r3DmG9lBKlZzpbWGkZe1h9jc2iWc1sVnxR4gkk31'
pw_ch0='$6$7Ut2tZ2j$lZIjL02uIIjyl/pqNLLV7lEQdyq9tmQF5Xm5uGOK3Lq./6r3DmG9lBKlZzpbWGkZe1h9jc2iWc1sVnxR4gkk31'

# 新建一个组
groupadd ops

# 新建用户添加到ops组
useradd -g ops ch5java
useradd -g ops ch0php

# 修改/etc/sudoers,给该组用户添加sudo权限
sed -i '101a\%ops     ALL=(ALL)       NOPASSWD:ALL' /etc/sudoers

# 写入统一密码到/etc/shadow
usermod -p "$pw_ch5" ch5java
usermod -p "$pw_ch0" ch0php


# 备份sshd配置文件并写入新的配置文件
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.$(date +%F) && cat >/etc/ssh/sshd_config <<EOF
# 秘钥指纹位置
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# 公钥保存位置
AuthorizedKeysFile .ssh/authorized_keys
# 关闭双因子认证
ChallengeResponseAuthentication no
# 允许基于GSSAPI的用户认证
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
# 启用PAM模块
UsePAM yes
# 启用x11转发
X11Forwarding yes
# 传递环境变量，如果设置不当，可能有绕过限制的风险
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# 指定一个子系统，这里设置的是sftp服务器
Subsystem sftp  /usr/libexec/openssh/sftp-server
# 关闭反向域名解析，用来确认远程主机名和ip是否对应
UseDNS no
# 指定ipv4还是ipv6地址 all/inet/inet6
AddressFamily inet
# 指定发送日志的子系统
SyslogFacility AUTHPRIV
# 允许密码登录
PasswordAuthentication yes
# 禁止root直连
PermitRootLogin no
EOF


# 重启sshd
systemctl restart sshd

# 设置密码复杂度
sed -i '/pam_pwquality.so/c\password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root' /etc/pam.d/system-auth
sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS   90' /etc/login.defs 
chage -M 99999 ch0php
chage -M 90 ch5java

# 设置超时掉线
echo 'export TMOUT=300' >> /etc/profile
# 设置尝试多次失败拒绝服务
sed -i '1i\auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10' /etc/pam.d/system-auth

yum -y install lrzsz
yum update -y
rm -f ali_init.sh